#define APP_TEST_AV_1 "test-antivirus1"
#define APP_TEST_AV_2 "test-antivirus_2"
#define APP_TEST_AV_3 "test-av-3"
+
#define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
#define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
+#define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
+#define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
+#define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
+
+#define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
+#define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
+#define APP_TEST_AV_ASP1 "test-app-av-asp1"
+#define APP_TEST_AV_ASP2 "test-app-av-asp2"
#define SOCK_PATH "/tmp/test-smack-socket"
result = strcmp(APPID_SHARED_DIR, label);
RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
+ result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
+ RUNNER_ASSERT_MSG(result == 1,
+ "Error rwxat access was not given shared dir. Subject: " <<
+ APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
/* EXEC */
result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
return 0;
}
+int check_labels_dir(const char *fpath, const struct stat *sb,
+ const char* labels_db_path, const char* dir_db_path,
+ const char* access)
+{
+ int result;
+ char* label;
+ char* label_gen;
+ char* scanf_label_format;
+ char label_temp[SMACK_LABEL_LEN + 1];
+ FILE* file_db;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ if(result != 0){
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "Could not get label for the path");
+ }
+ if(label != NULL){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
+ }
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ if(result != 0){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "Could not get label for the path");
+ }
+ if (S_ISDIR(sb->st_mode)) {
+ if(label == NULL){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
+ }
+ result = strcmp("TRUE", label);
+ if(result != 0){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
+ }
+ } else if(label != NULL){
+ free(label_gen);
+ free(label);
+ RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
+ }
+
+ free(label);
+
+ if(0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)){
+ free(label_gen);
+ RUNNER_ASSERT_MSG(false, "asprintf failed");
+ }
+
+ file_db = fopen(labels_db_path, "r");
+ if(file_db == NULL){
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG(false, "Can not open database for apps");
+ }
+ while(fscanf(file_db, scanf_label_format, label_temp)==1){
+ result = smack_have_access(label_temp, label_gen, access);
+ if(result != 1){
+ fclose(file_db);
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG(false,
+ "Error " << access << " access was not given for subject: "
+ << label_temp << ". Result: " << result);
+ }
+ }
+ fclose(file_db);
+
+ file_db = fopen(dir_db_path, "r");
+ if(file_db == NULL){
+ free(label_gen);
+ free(scanf_label_format);
+ RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
+ }
+ bool is_dir = false;
+ while(fscanf(file_db, scanf_label_format, label_temp)==1){
+ if(strcmp(label_gen, label_temp) == 0){
+ is_dir = true;
+ break;
+ }
+ }
+ free(scanf_label_format);
+ free(label_gen);
+ fclose(file_db);
+
+ RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
+
+ return 0;
+}
+
+int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
+{
+ return check_labels_dir(fpath, sb,
+ SMACK_APPS_LABELS_DATABASE,
+ SMACK_PUBLIC_DIRS_DATABASE, "rx");
+}
+
+int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW * /*ftwbuf*/)
+{
+ return check_labels_dir(fpath, sb,
+ SMACK_APPS_SETTINGS_LABELS_DATABASE,
+ SMACK_SETTINGS_DIRS_DATABASE, "rwx");
+}
+
int file_exists(const char* path)
{
FILE* file = fopen(path, "r");
return -1;
}
+ //clean app settings database
+ unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
+ fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ //clean public dirs database
+ unlink(SMACK_PUBLIC_DIRS_DATABASE);
+ fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
+ //clean settings dirs database
+ unlink(SMACK_SETTINGS_DIRS_DATABASE);
+ fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
+ if (fd == -1) {
+ return -1;
+ }
+
return 0;
}
+
+void add_lables_to_db()
+{
+ FILE* file_db;
+
+ file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
+ RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
+ << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ fclose(file_db);
+
+ file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
+ RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
+ << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ fclose(file_db);
+
+ file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
+ RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
+ << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
+ fclose(file_db);
+ RUNNER_ASSERT_MSG(false, "Error writing to database file");
+ }
+ fclose(file_db);
+}
} // namespace
RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
}
-
/**
* Add permisions from test_privilege_control_rules template
*/
}
+
+RUNNER_TEST(privilege_control18_app_setup_path_public)
+{
+ int result;
+
+ cleaning_smack_database_files();
+ add_lables_to_db();
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
+ RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+
+ cleaning_smack_database_files();
+}
+
+RUNNER_TEST(privilege_control19_app_setup_path_settings)
+{
+ int result;
+
+ cleaning_smack_database_files();
+ add_lables_to_db();
+
+ result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
+
+ result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
+ RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
+
+ result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
+
+ result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
+
+ cleaning_smack_database_files();
+}